Last month, I received an email that made me pause. A user wanted all their data deleted from our system. Not just their account—everything. Every comment they'd made, every interaction, every trace of their presence. They invoked their "right to be forgotten" under GDPR.
I'll be honest: my first thought was panic. How do I even find all their data? What if I miss something? What if deleting it breaks something else? But after walking through the process, I realized it's actually pretty straightforward—if you're prepared.
Data deletion requests are becoming more common. As privacy awareness grows, users are exercising their rights. Under GDPR, CCPA, and other privacy laws, people have the right to request deletion of their personal data. And you need to know how to handle these requests properly.
Understanding the Right to Deletion
Different laws frame this right differently, but they all boil down to the same thing: users can ask you to delete their personal data, and in many cases, you must comply.
GDPR: Right to Erasure
GDPR Article 17 grants the "right to erasure"—commonly called the "right to be forgotten." This applies when:
- The data is no longer necessary for the original purpose
- The user withdraws consent
- The user objects to processing and there's no overriding legitimate interest
- The data was unlawfully processed
- You need to comply with a legal obligation
There are exceptions, though. You don't have to delete data if you need it for legal claims, compliance with legal obligations, public interest, or legitimate interests that override the user's request.
CCPA/CPRA: Right to Delete
California's privacy laws give consumers the right to request deletion of personal information. Unlike GDPR, CCPA doesn't require a specific reason—if someone asks, you generally need to comply unless an exception applies.
Exceptions include completing transactions, detecting security incidents, exercising free speech, complying with legal obligations, and using data for internal purposes that align with consumer expectations.
Other State Laws
Virginia, Colorado, Connecticut, and other states with privacy laws have similar deletion rights. The specifics vary, but the core principle is consistent: users should be able to remove their data.
What "Deletion" Actually Means
Here's where it gets tricky. "Delete" doesn't always mean "delete forever." Different types of deletion serve different purposes:
Hard Deletion
Permanently removing data from your systems. This is what most users expect when they request deletion. The data is gone, unrecoverable, and can't be restored.
This is appropriate for most deletion requests, but it's also the most disruptive. Once data is hard-deleted, you can't recover it if you later realize you needed it for legal reasons.
Soft Deletion
Marking data as deleted without actually removing it. The data still exists in your database but is flagged as deleted and hidden from normal operations.
This is useful for compliance with retention requirements or legal holds. You can satisfy the user's request while maintaining data you might need for legal purposes.
Anonymization
Removing personally identifiable information while keeping the underlying data. If you have analytics data tied to a user, you might remove the user identifier but keep aggregated statistics.
This satisfies deletion requirements while preserving valuable business insights. Just make sure the anonymization is truly irreversible—if you can re-identify someone, it's not anonymized.
Preparing for Deletion Requests
The best time to prepare for deletion requests is before you get one. Here's what you need in place:
Know Where Data Lives
Create a data inventory. Where do you store user data? Production databases, backups, analytics systems, third-party services, logs, email systems? You can't delete what you can't find.
I recommend documenting this as you build features. When you add a new data collection point, note it in your inventory. This makes deletion requests much easier to handle.
Establish Deletion Procedures
Have a documented process for handling deletion requests. Who receives them? Who processes them? What's the timeline? What systems need to be checked?
GDPR requires responding within one month (extendable to three months for complex requests). CCPA requires responding within 45 days. Having a process prevents delays.
Automate Where Possible
If you can automate deletion, do it. Many deletion requests are straightforward—delete the user account, remove associated data, done. Automation reduces errors and speeds up responses.
But keep human oversight for complex cases. Some requests involve data shared with third parties, legal holds, or data needed for ongoing transactions.
Handling a Deletion Request
When you receive a deletion request, follow these steps:
1. Verify Identity
Before deleting anything, verify that the person making the request actually owns the data. This prevents malicious deletion requests.
For accounts, require login or email verification. For data not tied to accounts, request additional verification like matching information you have on file.
2. Identify All Data
Search your systems comprehensively. Don't just delete the obvious stuff—check:
- User accounts and profiles
- Transaction records
- Communication logs (emails, messages)
- Analytics data
- Backup systems
- Third-party services you use
- Log files
- Marketing databases
Missing data can lead to compliance issues. Take your time and be thorough.
3. Check for Exceptions
Before deleting, check if any exceptions apply. Do you need the data for:
- Legal claims or defense?
- Compliance with legal obligations?
- Completing transactions?
- Detecting security incidents?
If exceptions apply, you may not need to delete everything—or you might need to explain why you're retaining certain data.
4. Delete the Data
Once you've identified what to delete, do it systematically. Delete from production systems first, then backups. If you use third-party services, request deletion from them too.
Document what you deleted and when. This helps if questions arise later.
5. Notify Third Parties
If you've shared the user's data with third parties, notify them about the deletion request. Under GDPR, you're required to inform third parties unless this proves impossible or involves disproportionate effort.
Keep records of who you notified and when. This demonstrates compliance effort.
6. Confirm Completion
Respond to the user confirming what was deleted and what (if anything) was retained and why. Be transparent about the process.
If you couldn't delete everything, explain why. Users appreciate transparency, and it reduces follow-up questions.
Common Challenges
Deletion requests aren't always straightforward. Here are common challenges and how to handle them:
Data in Backups
Backups complicate deletion. You can't always delete from backups immediately—they might be stored offline or encrypted. GDPR recognizes this and allows deletion from backups "as soon as possible."
Best practice: document your backup retention policy and deletion schedule. When backups are restored or rotated, ensure deleted data isn't included.
Anonymized Data
If data is truly anonymized (not pseudonymized), it's no longer personal data and deletion rights don't apply. But be careful—true anonymization is harder than it sounds.
If you can re-identify someone using other data you have, it's pseudonymized, not anonymized, and deletion rights still apply.
Legal Holds
If data is subject to a legal hold (for litigation or investigation), you can't delete it even if a user requests deletion. Document the hold and explain to the user why deletion isn't possible.
Third-Party Services
If you use third-party services that process user data, you need to request deletion from them too. This can be time-consuming and requires coordination.
Consider including deletion requirements in your vendor contracts. This makes the process smoother when requests come in.
Best Practices
Here are practices that make deletion requests easier to handle:
Minimize data collection. The less data you collect, the less you need to delete. Only collect what you actually need.
Set retention periods. Don't keep data forever "just in case." Set clear retention periods and delete automatically when they expire.
Document everything. Keep records of deletion requests, what was deleted, and why. This helps with compliance audits.
Train your team. Make sure customer service, engineering, and legal teams know how to handle deletion requests.
Test your process. Periodically test your deletion process. Try deleting a test account and verify everything is removed.
The Bottom Line
Data deletion requests are a normal part of running a privacy-compliant business. They're not something to fear—they're something to prepare for.
Have a process, know where your data lives, and respond promptly and transparently. Most requests are straightforward if you're prepared. The ones that aren't—involving legal holds or complex data sharing—benefit from having a clear process to follow.
Remember: deletion requests are about user rights and trust. Handle them well, and you build trust. Handle them poorly, and you risk compliance issues and user frustration.
Start preparing now, before you get your first request. Future you will thank present you.